JS: share ConcatSanitizer in common module

2026-05-01 11:45:14 +02:00 · 2018-11-20 18:19:15 +00:00
parent 49cd2876c9
commit b16072a7be
3 changed files with 24 additions and 24 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/MethodNameInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/MethodNameInjection.qll
@@ -5,6 +5,7 @@

 import javascript
 import semmle.javascript.frameworks.Express
+import PropertyInjectionShared

 module MethodNameInjection {
  private import DataFlow::FlowLabel
@@ -61,7 +62,8 @@ module MethodNameInjection {

    override predicate isSanitizer(DataFlow::Node node) {
      super.isSanitizer(node) or
-      node instanceof Sanitizer
+      node instanceof Sanitizer or
+      node instanceof PropertyInjection::Sanitizer
    }

    /**
@@ -131,15 +133,4 @@ module MethodNameInjection {
      result = unsafeFunction()
    }
  }
-
-  /** 
-   * An expression that sanitizes a value for method name injection. That 
-   * is, if a string is prepended or appended to the remote input, an attacker 
-   * cannot access arbitrary properties.  
-   */
-  class ConcatSanitizer extends Sanitizer, DataFlow::ValueNode {
-    ConcatSanitizer() {
-      StringConcatenation::getAnOperand(this).asExpr() instanceof ConstantString
-    }
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/PropertyInjectionShared.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/PropertyInjectionShared.qll
@@ -0,0 +1,18 @@
+import javascript
+
+module PropertyInjection {
+  /**
+   * A data-flow node that sanitizes user-controlled property names that flow through it.
+   */
+  abstract class Sanitizer extends DataFlow::Node {
+  }
+
+  /**
+   * Concatenation with a constant, acting as a sanitizer.
+   */
+  private class ConcatSanitizer extends Sanitizer {
+    ConcatSanitizer() {
+      StringConcatenation::getAnOperand(this).asExpr() instanceof ConstantString
+    }
+  }
+}
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
@@ -6,6 +6,7 @@

 import javascript
 import semmle.javascript.frameworks.Express
+import PropertyInjectionShared

 module RemotePropertyInjection {
  /**
@@ -45,7 +46,8 @@ module RemotePropertyInjection {

    override predicate isSanitizer(DataFlow::Node node) {
      super.isSanitizer(node) or
-      node instanceof Sanitizer
+      node instanceof Sanitizer or
+      node instanceof PropertyInjection::Sanitizer
    }
  }

@@ -115,15 +117,4 @@ module RemotePropertyInjection {
      result = " a header name."
    }
  }
-  
-  /** 
-   * An expression that sanitizes a value for remote property injection. That 
-   * is, if a string is prepended or appended to the remote input, an attacker 
-   * cannot access arbitrary properties.  
-   */
-  class ConcatSanitizer extends Sanitizer {
-    ConcatSanitizer() {
-      StringConcatenation::getAnOperand(this).asExpr() instanceof ConstantString
-    }
-  }     
 }